Automate Your Server Security With GrapheneX - Episode 237

November 11, 2019

Summary

The internet is rife with bots and bad actors trying to compromise your servers. To counteract these threats it is necessary to diligently harden your systems to improve server security. Unfortunately, the hardening process can be complex or confusing. In this week’s episode 18 year old Orhun Parmaksiz shares the story of how he and his friends created the GrapheneX framework to simplify the process of securing and maintaining your servers using the power and flexibility of Python. If you run your own software then this is definitely worth a listen.

Do you want to try out some of the tools and applications that you heard about on Podcast.__init__? Do you have a side project that you want to share with the world? With Linode’s managed Kubernetes platform it’s now even easier to get started with the latest in cloud technologies. With the combined power of the leading container orchestrator and the speed and reliability of Linode’s object storage, node balancers, block storage, and dedicated CPU or GPU instances, you’ve got everything you need to scale up. Go to pythonpodcast.com/linode today and get a $60 credit to launch a new cluster, run a server, upload some data, or… And don’t forget to thank them for being a long time supporter of Podcast.__init__!

Announcements

Hello and welcome to Podcast.__init__, the podcast about Python and the people who make it great.

When you’re ready to launch your next app or want to try a project you hear about on the show, you’ll need somewhere to deploy it, so take a look at our friends over at Linode. With 200 Gbit/s private networking, scalable shared block storage, node balancers, and a 40 Gbit/s public network, all controlled by a brand new API you’ve got everything you need to scale up. And for your tasks that need fast computation, such as training machine learning models, they just launched dedicated CPU instances. Go to pythonpodcast.com/linode to get a $20 credit and launch a new server in under a minute. And don’t forget to thank them for their continued support of this show!

Having all of your logs and event data in one place makes your life easier when something breaks, unless that something is your Elastic Search cluster because it’s storing too much data. CHAOSSEARCH frees you from having to worry about data retention, unexpected failures, and expanding operating costs. They give you a fully managed service to search and analyze all of your logs in S3, entirely under your control, all for half the cost of running your own Elastic Search cluster or using a hosted platform. Try it out for yourself at pythonpodcast.com/chaossearch and don’t forget to thank them for supporting the show!

You listen to this show to learn and stay up to date with the ways that Python is being used, including the latest in machine learning and data analysis. For even more opportunities to meet, listen, and learn from your peers you don’t want to miss out on this year’s conference season. We have partnered with organizations such as O’Reilly Media, Dataversity, Corinium Global Intelligence, Alluxio, and Data Council. Upcoming events include the combined events of the Data Architecture Summit and Graphorum, the Data Orchestration Summit, and Data Council in NYC. Go to pythonpodcast.com/conferences to learn more about these and other events, and take advantage of our partner discounts to save money when you register today.

Your host as usual is Tobias Macey and today I’m interviewing Orhun Parmaksiz about GrapheneX, a framework for simplifying the process of hardening your servers

Interview

Introductions

How did you get introduced to Python?

Can you start by explaining what we mean when we talk about hardening of servers?

What are the common ways of hardening a system, which techniques can we use for this purpose?

What are some of the high level categories of threats that operators should be considering?

What is GrapheneX and what was your motivation for creating it?

How does GrapheneX aid users in the process of increasing the security of their infrastructure?

Is any extra operating system knowledge required for using GrapheneX?

Can you talk through the workflow for someone using GrapheneX to harden their systems?

What options does it support for managing deployment across a fleet of servers?

Some security controls can actually prevent proper operation of the applications and services that are deployed on a server. How do you approach preventing those scenarios or educating the users in determining which controls are appropriate?

Why did you choose Python for a project like GrapheneX?

How is GrapheneX implemented?

How has the design evolved since you first began working on it?

If you were to start the project over today, what would you do differently?

Do you accept contributions to the framework? If so, what kind of contributions are needed for improving GrapheneX?

For someone who is interested in adding a new module to the framework, what is involved?

What have you found to be the most interesting or challenging aspects of your work on GrapheneX?

What, if any, aspects of server security have you consciously avoided implementing in GrapheneX?

Hello, and welcome to podcast, the podcast about Python and the people who make it great. When you're ready to launch your next app, I want to try a project you hear about on the show, you'll need somewhere to deploy it. So take a look at our friends over at the node. With 200 gigabit private networking, scalable shared block storage, node balancers, and a 40 gigabit public network all controlled by a brand new API. You've got everything you need to scale up. For your tasks that need fast computation, such as training machine learning models, they just launched dedicated CPU instances. They also have a new object storage service to make storing data for your apps even easier. Go to Python podcast.com slash lindo, that's LI and OD today to get a $20 credit and launch a new server and under a minute, and don't forget to thank them for their continued support. This show, having all of your logs and event data in one place makes your life easier when something breaks. Unless that's something is your Elasticsearch cluster because it's storing too much data. Chaos search frees you from having to worry about data retention, unexpected failures and expanding operating costs. They give you a fully managed service to search and analyze all of your logs from s3 entirely under your control all for half the cost of running your own Elasticsearch cluster or using a hosted platform. Try it out for yourself at Python podcast.com slash chaos search and don't forget to thank them for supporting the show. You listen to this show to learn and stay up to date with the ways that Python is being used, including the latest and machine learning and data analysis. For even more opportunities to meet listen and learn from your peers you don't want to miss out on this year's conference season. We have partnered with organizations such as O'Reilly Media, cranium, global intelligence, Alex yo and data Council. Upcoming events include the data or orchestration summit and data Council in New York City. Go to Python podcasts.com slash conferences to learn more about these and other events and take advantage of our partner discounts to save money when you register today. Your host, as usual is Tobias Macey. And today I'm interviewing Orhun Parmaksiz about graphene x a framework for simplifying the process of hardening your servers. So Orhun, can you start by introducing yourself?

Thanks for having me on the podcast, Tobias. It's an honor to be here. My name is Orhun Parmaksiz. And I'm a good old Linux enthusiast. Also, I'm studying software engineering. Most of the time, I like to deal with the economic stuff and I try to create projects for Linux also. And I can say that I'm a self taught programmer and developer and I still try to learn programming languages and new technologies to implement in those projects. And my goal is to keep innovating. And create projects that will help the community and the users.

Yes, it was, I think it was 2016 that I decided to learn Python. It was because my classmates at school were into it. And they were doing some simple programs with it. And I was just curious about Python. So I go to a bookstore and bought a book about Python. It was kind of a tutorial book. But when I got to the middle of the book, I was bored. Because the most of the time when I decided to learn a program language, I try to do something with it, not just following up with tutorials. So I left reading the book, and I tried to create a simple project with it. And Python is a very simple and easy to do language and you can there's a lot of libraries for doing various things. So I create my first Python project in 2016, then it just, it was a good project for me to learn Python practice with and I kept learning it. And that's, that's how I introduced the Python.

And now you've been working on the graphene x project, which as we said is for hardening servers. I'm assuming Linux servers primarily. And I'm wondering if you can just start by explaining a bit about what we mean when we use the term hardening in the context of servers and security and some of the common techniques and methods that you might use to achieve that hardening?

Yeah, of course. So when we say hardening the we mostly mean that securing a system by reducing its surface of vulnerability, I'll just continue with an example. So let's say we have a Linux server running and we miss configured some files. We have some bad configuration files that will allow users to Access the admin panel with the default password, it's a very common scenario. So if we change the configuration files and change the password as well, this is process we call we can call this in this is a hardening process. And another example is disabling services or removing users on on a system that will cause different things like you know, they will exploit the system. So, these are the different examples. You mean users disabling services or disabling or removing services. So, the other thing that we can do to hardening our system is enabling f5 will also and there's different examples too, but this is hornik basically, so if you want to Harding a system We can achieve this by two ways. One is the executing system comments to harming that system. And the other one is it mostly about standards hardening standards, and it will include it includes some tools for automating the hardening process. So, these are the common techniques,

So I face elevation of privilege attacks or attack vectors most of the time, but there is also some network issues like the like some vulnerabilities that will let users to spoof network packages or send malicious requests. So these are the two coming Things that I face and causing those type of threats. howling should be an important term to developers and the operators

So Griffin x is an automated system hardening framework. So before I give an explanation about the project, I want to give a quick shout out to my friends that helped me to be built the graphics because we are a team actually, actually be friends but we create a team called Griffin x team and I lead the project. So the names are Mr. Park or rich and as focused on if I didn't accept, I can collide you and Thailand Don, they helped me to build the next project. So I like to mention about the name of the project too. So graphene is a It's a one to atone thick layer of carbon atoms arranged in a hexagon to let us so it's about 100 times stronger than the strong Still, we chose Griffin next name, because graphene is something stronger than a strong steel. And we try to harden systems. So we think it's a good relation between these two names. And x is just a suffix that we like to use by Lee creating projects. So graphics project is automated framework. We call the project the framework because you there's different features, and different commands that you can run or different type of things that you can do. And it's automated because there's a thing called presets in graphics that will automate the process of hardening. So we try To provide a framework for security system with hardening commands automatically. So we have some we actually, I like I like to mention about the motivation behind it before I go into the technical details. So we have a group at telegram with my friends, we always like to do things together, like projects. So one day we try to be decided to do set to make a project together. And we were thinking, one of my teammates, if I didn't just send a poster to our group, which was hardening checklist, Linux hardening checklist. It's it contains different coding commands for hardening your Linux system. So I was like, Can we just automate this and put these commands in a framework that will run On the user, design diamond, so we just, they were okay, we decided to create a project for this purpose. And we did try to design design project for end user, as well as the links and Windows developers. And the basically it executes Harding commands on the backhand side. And there's a web website of it too. And that's, that's basically it's about reference.

And you mentioned that it helps to automate executing this list of commands for being able to improve the overall security of a system. I'm wondering if you can talk through an example workflow of somebody using graphene X to harden their system and some of the options that are exposed and just some of the overall decisions that they need to make As they're interacting with the software,

Okay, so first of all, you have to install graphics. Obviously, you can achieve that by building from the source or using the package, we have a package called graphics. And after that, you have two options for hardening your system which graphics, which are using the interactive shell or the web interface. Interactive shell, we develop this side of the project for the people that are used to do is used to the Linux operating system. And there's commands for hardening and when you go to your terminal and type the name of the project reference, it will give you interactive shell. You can lyst comments with help comment. And it's it's very easy actually you can switch to name spaces or modules, we call The hardening comments modules and the parts of their the limiting here and every individual module effect a part of the system. So we call that part in namespace, there's different name spaces there, you can switch to them with the search, comment or use comment for selecting a module, then Harding command will execute the hardening command of that module automatically. The other option for using Griffin x is the web interface, you can start the web interface with the dash W, command parameter from the top from your terminal or just typing web into your interactive shell. It will open up a people start in web server for access the graphics web website of the graphics and there's an extra precaution there which is the access tokens because you can access the web interface from different machines if you start with the local host parameter, but we try to prevent this with the access token. So it will request an access token for redirect redirecting to you the actual graphics interface. So when you start the web interface from Terminal it will give you access token. And you can access your web interest into interactive, I'm sorry, web interface with that access token. So these are the two ways of using graphics. The web interface is quite simple to use it because there's a list of modules that you can see the Harding commands or execute counting command. There's a drop down menu for seeing the name spaces and That's, that's pretty much it.

And for performing this hardening on a single server, it obviously easy to choose between either doing a web interface or a command line for somebody who's comfortable in either environment. But for using this across a fleet of servers when you're trying to automate deployment, I'm assuming that you would just use the command line or is it possible to generate a configuration file that graphene X can consume and then run the automated set of routines that you want given the profile of the instance.

Actually, there's not a feature for this type of operation, but you can use the web interface for for these type of servers, or there's a Docker file that you can use to automate these, this process, but actually know that we don't support this type of thing, but we can You know, improve the framework for this purpose.

And as far as the security controls that you're enabling, sometimes it can end up interfering with the operation of software that you're actually trying to run on the system such as maybe you accidentally closed down and firewall ports that are necessary for a network interface for the networked application that you're trying to build. Or, you know, sometimes some of the, for instance, app armor profiles and web based systems can interfere with proper operation of a piece of software I'm so I'm curious if you have any safety mechanisms or warnings built into graphene X to let people know that this might end up interfering with their software or maybe some way of detecting what software is running and then letting people know that if you enable a particular profile or a particular command within a namespace that it's going to prevent a piece of software from working on this is

a good question because when we try to find eligible modules for framework, it's the something that we always considered. So we have modules, then modules have the description of the OS command for the hardening process. Actually, we try to give a try to give every detail about that command to user with the info Information section of the module. But we don't have a control mechanism like that for preventing, running some running the commands that you said, but we always try to inform user about that command. And most of the commands require the root access. So we won't we won't users about them, but we don't want about the contents of that module. Instead, we try to inform about the content of the module and user should be, should be careful about what he or she is doing about the module. So we don't have any warning mechanism or checking with you don't do not check the service or the file content before the before executing the hardening command or the module. But we we try to inform the user basically,

can you talk through a bit about how graphene is implemented at the sort of technical level and some of the ways that the overall system design and capabilities have evolved since I first began working on it,

of course, so we we have a team. So we try to keep things simple. And we try to choose a program language that everybody knows and capable of doing some things with it, and we choose Python to move on. We started with writing the interactive shell Use the pythons CMT module for it, it's it was pretty much the it has the features that we want it we create the interactive shell with it then we moved on to the web interface which is currently flask and socket IO based but we will probably change it later to something else actually we have a pull request that will change the entire back end side of the web interface but we use the flask for now and the hardening process was handled with the standard built in libraries. We use them for executing and system command. That was we didn't use anything external. For this purpose and other things like the locks and the colored locks we use the color among colored looks module and printing is handled with terminal tape. library and some comments request user input. And we used PY include library for the prompt. And this is pretty much it about the technical side of the project. It's tried to keep it simple. And the on the website, I had to mention about the JavaScript and HTML and CSS, the classic way of creating simple websites. Actually, I'm not a web guy. So follow candles, all the web side of the project. And this is this is pretty much it about the tech side of the project.

And if you were to start the whole project over now that you have gotten further into it and have a better understanding of the overall problem space and some of the design constraints and possibilities, are there any aspects of it that you would change or anything that you would do differently? Probably. I

will start with The finding finding modules because it's the hard side of doing a project like this, you have to find eligible eligible modules for the framework. And we did it. At the end of the project, we created our modules that XML file which contains all of the modules. At the end of the project, we basically finished all the features then we try to find modules or crates migrate or our modules. So I will probably start with that step. Because you can find or create your Linux or Windows commands easily and quickly. So I will start with that. And probably, I will use a different technology on the web website of the project because we just changing it right now to react. I don't know why Actually, it's probably more optimized than the socket, io and flask. I'll probably think more about the web web interface. And I'll just lead the project according to that changes. And as far as the module interface, what is involved in actually creating a new module? And are there any gaps in terms of the current implementation that you are looking for help as far as adding new capabilities to the framework? Okay, so if you want to add a module to the framework, there's, there are three ways of doing this. The first one is using the Manage comment from interactive shell. It's, it's it will ask you inputs about that module. Actually, there's two things that you can do with manage comment. First one is adding a module, the editing emergency room module, so if you choose the ad option, it will ask you about it eschewed module. Description name and the last comment that will that will run for the Harding process. You can use managed comment for the adding a module or you can add modules from the web interface. It's pretty simple. There's a button for the editing a module and you'll see a page that will ask for the module details. And the third way is editing the modules that XML file directly we use that file for parsing the module details and listing them or any or any other operations. So if you modify the module study XML file, it will change the module details on the framework. Since we try to design the graphics, very abstract from the margins that XML you can just change that file for changing the person of the project because it basically takes the Harding commands from that file and executes it depending on the user input. So there are three ways of adding a new module. So we actually have an open issue for the Griffin ex con contributions. It's about adding modules to the framework, obviously, because he can improve the framework technically, but backend on on the front end side, but we need modules for framework to run or operate as expected. And it's important to add more modules the framework so we we accept contributions framework, in terms of modules

Actually, we do not test them with any type of tool, but we test them on our systems or virtual machines. You know, it's like a process of approving a pull request. All of the team members have to approve the module before we get into the framework. And we use our own systems, but we use virtual machines to test those commands too. So it's the technique that we use for testing modules before adding to the framework.

And as far as your experience of building graphene x and working with your friends on improving it, what have you found to be some of the most interesting or unexpected or challenging aspects of the project and any particularly useful lessons that you've learned as a result? The interesting part of the

project was learning frameworks, especially flask and the web. website is something that I'm not used to do, I'm not used to. So it was interesting to learn different technologies while working on this project and the challenging aspects of graphics was the obviously the finding modules and creating modules. And since I lead the project, it was even harder to split the team for finding eligible modules for the framework. And it was not my first experience quite an experience but some technical stuff was challenging to like, you can write, write the same program with different approaches. So we have a team so we have different opinions. We were always thinking about which which is the the optimized way of doing something it was was challenging, but it was fun. So that's it, I think.

And then as far as your understanding and experience of server and system security, how has that grown as a result of working on graphene x? And are there any areas of system security that you have consciously avoided implementing and graphene x just because they would either be too difficult or too bespoke.

So when I was working on graphics, I had a chance to know my, you know, Linux setup better because we were just experiencing different things with the modules and the Python. So it was a good experience for me to learn my learn the internals of the Linux in terms of a Linux system, and the thing that we try to avoid was the firewall, exploits or firewall threats. Because it's something hard to configure, in my opinion, it's not for every user to configure configure a firewall or the network, because there's there are tools for it. But mostly they use IP tables on Linux. And we try to avoid different threats by adding different modules about network configuration IP tables. And it, I hope it will help users to understand the internal software system. But these are the things that we try to avoid mostly the firewall and the network things. And I hope it will help users to understand the operating system internal

And probably we will add more modules and we will improve the web interface. The other than other than those goals, we do not have anything like anything big or anything that will change the whole purpose of the project. But we will try to improve according to the user feedback. And I think it is a project that we should keep alive because there are some open source projects that is in dust but they're working so well that people are still using it. So we try to keep project updated. So, so that people can still use it on different machines and different systems. We basically this is our gold Keep the project updated and keep the modules updated for the individual services or configurations. So that's that's it about the goal.

And as far as the system support, it seems that the majority of the focus is on Linux. But I'm wondering if you have experimented at all with running it on any BSD based systems or any other operating systems that you're planning to target.

Actually, I'm talking like, the graphics is just for Linux, but it's not it's, it's support Windows too. But since I'm using Linux, I, I just think it's just for Linux. But we we plan to test the government ektron dif different systems, because we we think that we can automate the hiring process on their systems to like BSD or other things. We plan to do that, but right now it supports Linux and Windows. The windows part is little bit wide wider than the Linux because Windows has windows system windows modules are target more parts of the system than Linux. It depends on us actually was not about the Linux or Windows. But we try to find or create more modules for different operating systems.

Are there any other aspects of the work that you've done on graphene x or your experiences with managing system security and hardening processes that we didn't discuss yet that you'd like to cover before we close out the show?

So I can talk about the ways of the way of weight the way that we choose for our link, the technique that we choose the different techniques for hardening a system First one is using a checklist or list of comments. And the other one is tools, which is a graphics is a tool and third one is standards. There are some standards actually for hard link. So they call cis I suppose and all different standards like PCI DSS, they have different approaches for Harding system. They target most of the time windows. But we did not choose this approach while implementing Griffin x because the standards are maybe sometimes too strict that you can, they won't let you to do things that you want. So we try to use checklists for graphics to automate the hiring process. It's you can use those checklists for manually hardening your system. too, but the government x is a automated, it will do things automated for you. And actually, it's a framework. So it it will help you to harden your system. And I like to talk about the automated part of the next which has the preset command for running different different modules at at one with one. Okay, let me let me explain this. Again. There's a preset command that will run set of comments set of adding comments from different name spaces or a namespace or a single namespace you can adjust the change the modules that XML file for changing the presets, mostly we target the a part a part of the system, so There's a preset called Colonel access restriction that will run two modules for restricting the colonel access without permission. So it's it will run two modules in order to hiring a specific part of the system. So we try to give Griffin x an automated design for with the preset command. Alright, well,

for anybody who wants to follow along with you and get in touch, I'll have you add your preferred contact information to the show notes. And so with that, I'll move us into the pics and this week I'm going to choose chess because I've been able to spend a bit more time recently playing with my kids and my dad. So it's good to revisit it every now and then. So if you haven't found the time to play chess, or you haven't learned it yet, it's definitely worth worth a shot. It's a fun game with a lot of different strategies involved. So definitely recommend that for anybody who's looking for something to pass the time And so with that, all capacity or do you have any pics this week?

Yes, I have a band called krY Rochelle. It is originally made. There's a Lego set called biomedical and they make the advertisement or short film songs for the Lego set by a nickel. And I think they are very good at this job and their songs are amazing. I will pick two songs of them. One of them is creeping in my soul and gravity hurts. They are very amazing songs, I suggest everyone to listen down. So that's it.

Well, thank you for taking the time today to join me and discuss your work on graphene x. It's definitely an interesting project and it's targeting a very necessary space for people to understand and it's great to make that a bit easier for them. So thank you for all of your efforts on that front and I hope you enjoy the rest of your day.

You're listening. Don't forget to check out our other show the data engineering podcast at data engineering podcast com for the latest on modern data management. And visit the site at Python podcasts. com to subscribe to the show, sign up for the mailing list and read the show notes. And if you've learned something or tried out a project from the show, then tell us about it. Email host at podcast